That front-facing camera staring at you from the bezel of your smartphone could be used to leak your secrets, and not in the way you probably think. A team of researchers from the University of Cambridge have developed a software package for Android devices that is capable of using a phone’s camera and microphone to figure out a user’s PIN unlock code.

The software activates the camera to watch the user’s face while the device is being unlocked. The position of the user’s head, and movement of the phone are the first part of the puzzle as the app seeks to crack the code. The other angle is the microphone, which is used to record the faint tapping sound as the user hits each digit.

By combining these two bits of data — the phone’s position relative to the user’s face, and the timing of the taps — the software can estimate which numbers make up the PIN. The researchers found that for a 4-digit PIN, the software was able to crack it more than 50% of the time in five attempts. An 8-digit PIN was more difficult, but reached 60% accuracy within 10 attempts.

This is a troubling discovery because many corporate email systems enforce 4-digit PIN locks on connected phones. These may be easier to crack that expected — the permissions an app needs to access the microphone and camera are common and easy to implement on virtually all Android devices. However, this method could be completely blocked by varying the size of the keypad, or using a different lock method, like an alphanumeric password or pattern unlock.